Using machine auth from a remote eduroam site

[Alan Buxey]

you already have a TLS PKI - its in Windows AD for your pleasure to
use - you just need to get them to use a server chain that matches
what you can trust in your FR setup - or just proxy EAP-TLS to an NPS
in the AD...  ;-)

PS have you tried GEANTLink for the supplicant (its what eduroamCAT
uses for TTLS support) - https://github.com/Amebis/GEANTLink

alan